How Grassroots Activists in Georgia Are Leading the Opposition Against a Dangerous “Computer Crime” Bill

A misguided bill in Georgia (S.B. 315) threatens to criminalize independent computer security research and punish ordinary technology users who violate fine-print terms of service clauses. S.B. 315 is currently making its way through the state’s legislature amid uproar and resistance that its sponsors might not have fully anticipated. At the center of this opposition is a group of concerned citizen-advocates who, through their volunteer advocacy, have drawn national attention to the industry-wide implications of this bill.

You have most recently been organizing around Georgia Senate Bill 315. What is the bill about, and what are your concerns with it?

Scott: Senate Bill 315 is a computer intrusion bill. Georgia already has on the books some very strong laws against computer intrusion, computer fraud, and the malicious side of hacking. I think this is pretty well covered in state law as it is.

There was an incident last year at Kennesaw State University. Some of the functions for conducting elections in the state of Georgia were farmed out to KSU and their Election Center, and there was a data breach there. That was very big in the news. What they didn’t say in the news at the time was that [it was] a security researcher who found a vulnerability and reported it ethically. As it turns out, the researcher in question was not even targeting KSU election systems, but merely found inappropriate personal information via a Google search, and then tried to get authorities to act quickly to remove it. This person, as we found out later, was investigated by the FBI and they came up clean. [The FBI] didn’t have anything to charge them with, so they left.

The state feels very embarrassed by this, and the attorney general’s office has asked for a bill that goes above and beyond the existing statutes that we have against computer crime. That’s where Senate Bill 315 came from. To use the language that the attorney general’s office used, they want to build it to criminalize so-called “poking around.” Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law.

David: I’ve worked in Atlanta cyber security for about 13 years and it’s a very tight-knit community. People from one company will go to another company, or a lot of the founders from one company will end up founding another company. A lot of them started from incubators and think tanks at our university system here—a lot of them at Georgia Institute of Technology. So if you have a chilling effect on one founder or one person who is interested in this kind of topic it can really stifle an entire industry and the whole chain of people creating all these other organizations.

Other than security researchers, who else needs to be concerned about this bill?

Scott: The other issue with Senate Bill 315 is it’s so broadly written that it could bring in terms of service [enforcement]. Terms of service come from a private company—for instance, your cable and Internet provider have terms of service. The bill is so broadly written that a violation of terms of service could possibly be construed as a criminal violation, and that would be improper delegation of powers.

David: S.B. 315 uses the term, “unauthorized access,” which is a very murky term. If you’re trying to go through all the proper channels in advance and get authorization for something, it’s not always clear who the person who has the authority to give that authorization is. If it’s a website and you’re testing some part of a website’s security you might think it’s the website administrator, but often it’s not. Often it’s their IT dev ops team or the tech ops team or something else. You may even get permission from one person and think you’re in the clear, and the next thing you know they say that’s not the correct authorization. With the broadness of the way this bill is written, there are way too many circumstances where somebody could be in violation of the law just performing their daily duties.

What is your game plan right now for fighting this bill?

Scott: It was voted on by the Senate, so now it goes on to the House and it will be heard in committee. The game plan right now would be to line up support to have a good showing at the House committee meeting. What we need in addition to ordinary people who do technology every day is some C-level people—CEOs, CIOs, CFOs, CTOs, CISOs, etc.

Electronic Frontiers Georgia participates in the Electronic Frontier Alliance. From that perspective, are there any notable differences between legislative-based organizing and, say, generally raising awareness of digital rights locally?

Scott: As far as legislative versus non-legislative organizing: Electronic Frontiers Georgia is also very interested in raising general awareness and teaching basic concepts, but I’m finding that it’s really hard to do both. We’re in legislative mode while the legislature is in session, which is roughly January 1st through about April 1st. After the legislative season is over we pivot back to educational and social mode. It’s good to do both, but it can be very difficult to do both at the same time. Groups that are actively doing activism at the state level shouldn’t beat themselves up if they’re not able to keep the same educational schedule up during the busy legislative season.

Electronic Frontiers Georgia has started working with other community groups in the area on the S.B. 315 fight. What advice would you give to grassroots groups who want to work more collaboratively with each other but have never done so before?

Scott: What I’m finding is that there are a lot of groups in the area but a lot of them are siloed, which is to say that they essentially keep to themselves and don’t mix with the other groups very frequently. They’re focused on their main core interest, and they just probably haven’t considered some of the issues like S.B. 315. It’s a challenge to bring disparate groups together, but I’m trying to talk to them. For example, I’m giving a talk on S.B. 315 to DC404, which is the local DEFCON group—an information security group.

We’re also trying to invite in other groups that are not necessarily technology-focused that I think would be interested in this particular fight if they just understood it better. One of the real struggles with S.B. 315 is trying to convince people who don’t work in technology that this is something they should care about. With news of data breaches every day, how do you explain to somebody that this is actually going to make security worse rather than make it better? That requires a lot of explaining. Some of these groups are looking for speakers and content, and that’s an opportunity for us to step in and fill that, and maybe explain our position to a better degree.

Related Updates

Your landlord is prohibited from making deals that restrict you to a single video provider, and those prohibitions should apply to your broadband service as well. Yet, across the country, tenants remain locked into a single choice.

Grassroots digital rights organizing has many faces, including that of hands-on hardware hacking in an Ivy League institution. Yale Privacy Lab is a member of the Electronic Frontier Alliance, a network of community and student groups advocating for digital rights in...

A proposed amendment to the Chicago municipal code would allow businesses to use face surveillance systems that could invade biometric and location privacy, and violate a pioneering state privacy law adopted by Illinois a decade ago. EFF joined a letter with several allied privacy organizations explaining our concerns...

For too long, the New York Police Department has secretly deployed cutting-edge spy tech, without notice to the public. Many of these snooping devices invade our privacy, deter our free speech, and disparately burden minority and immigrant communities. Fortunately, a proposed ordinance (“the POST Act”) would lift the cloak of...

This week, two California jurisdictions joined the growing movement to subject government surveillance technology to democratic transparency and civilian control. Each culminated a local process spearheaded by concerned residents who campaigned for years. First, on Monday, the City of Palo Alto voted 8-1 to adopt an ordinance to...

Among the many bills awaiting the signature—or veto—of Governor Jerry Brown is AB 3131, a measure that would ensure transparency about police militarization across the State of California. While we are disappointed in recent legislative amendments that weakened the original bill, we remain eager to see it...

For the second year in a row, the California State Assembly’s Appropriations Committee has effectively killed a bill that was poised to ensure transparency, community oversight, and civil liberties regarding proliferating police surveillance technology. S.B. 1186 was approved by the California Senate, as well as by two Assembly policy...

Free WiFi all across New York City? It might sound like a dream to many New Yorkers, until the public learned that it wasn’t “free” at all. LinkNYC, a communications network that is replacing public pay phones with WiFi kiosks across New York City, is paid for by advertising that...

There is a new gold standard in the movement to require transparency and community engagement before local police departments are permitted to acquire or use surveillance technology. Oakland’s Surveillance and Community Safety ordinance builds upon the momentum of several cities and counties that have enacted laws to protect their...

Public safety requires trust between government and the community served. To ensure that trust, Oakland needs a participatory process for deciding whether or not to adopt new government surveillance technologies, and ongoing transparency and oversight of any adopted technologies.